{"id":62260,"date":"2022-05-31T13:51:24","date_gmt":"2022-05-31T10:51:24","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=62260"},"modified":"2025-09-05T16:53:53","modified_gmt":"2025-09-05T13:53:53","slug":"hacker-drains-90-million-from-mirror-protocol-discovery-seven-months-later","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/hacker-drains-90-million-from-mirror-protocol-discovery-seven-months-later\/","title":{"rendered":"Hacker drains $90 million from Mirror Protocol; discovery seven months later"},"content":{"rendered":"<p>The Terra-based DeFi protocol Mirror was the target of an exploit for more than $90 million. It was uncovered by analyst FatMan and confirmed by cybersecurity firm BlockSec.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">As pointed out by many followers (thanks very much), the attack transaction can be viewed on the \u2018classic\u2019 chain(<a href=\"https:\/\/t.co\/9nmweKv1hC\">https:\/\/t.co\/9nmweKv1hC<\/a>). <\/p>\n<p>We have made a clarification here:<a href=\"https:\/\/t.co\/Sqj5jet6Ij\">https:\/\/t.co\/Sqj5jet6Ij<\/a><\/p>\n<p>\u2014 BlockSec (@BlockSecTeam) <a href=\"https:\/\/twitter.com\/BlockSecTeam\/status\/1530865203029499905?ref_src=twsrc%5Etfw\">May 29, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>To open a short position on Mirror Protocol&#8217;s synthetic asset, collateral (UST, LUNA Classic and mAssets) must be locked for at least 14 days. After the operation is completed, the tokens can be withdrawn back to the wallet.<\/p>\n<p>To establish asset ownership, an identifier generated by the smart contract was used. Because of a vulnerability the protocol could not block multiple withdrawals by the same user. In October 2021, an unknown person uncovered this, causing losses totalling $90 million \u2014 the amount was hundreds of times larger than the collateral he had locked.<\/p>\n<p>BlockSec explained that this became known only now because Mirror&#8217;s site did not display data on the amount of collateral deposited by users. Another factor was the community&#8217;s insufficient attention to blockchain data analysis on Terra compared with Ethereum and <span data-descr=\"Ethereum Virtual Machine - the Ethereum virtual machine\" class=\"old_tooltip\">EVM<\/span>-compatible networks.<\/p>\n<p>In May, a few days after the Terra collapse, Mirror Protocol <a href=\"https:\/\/github.com\/Mirror-Protocol\/mirror-contracts\/commit\/56cc6946b9457293ede6aa0feb296ee1d16f6974\">fixed<\/a> the exploit. On the forum, the team left unanswered a <a href=\"https:\/\/forum.mirror.finance\/t\/was-there-a-security-hole-in-the-lock-contract\/3390\">question<\/a> about whether anyone had exploited the vulnerability.<\/p>\n<p>Recently an unknown actor withdrew another $2 million from Mirror amid issues with oracle price display. This vulnerability was spotted by a Mirroruser community member and confirmed by FatMan.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting \u2014 the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. <a href=\"https:\/\/twitter.com\/mirror_protocol?ref_src=twsrc%5Etfw\">@mirror_protocol<\/a> (1\/4)<\/p>\n<p>\u2014 FatMan (@FatManTerra) <a href=\"https:\/\/twitter.com\/FatManTerra\/status\/1531365988809293825?ref_src=twsrc%5Etfw\">May 30, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Analyst warned that the hacker could also do the same with mAsset pools, risking a build-up of hopeless debt and the protocol&#8217;s collapse. Access to them was suspended until the start of the pre-market trading session.<\/p>\n<p>The situation was saved by the weekend and Memorial Day in the US, when the stock market was closed.<\/p>\n<p>Developers heeded the expert&#8217;s advice. They disabled the use of mBTC, mETH, galaxy and mDOT as collateral, preventing a \u201ccatastrophe\u201d. As a result, the attacker lost the ability to drain liquidity pools.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Crisis averted \u2014 in the nick of time, Mirror disabled the usage of mBTC, mETH, mGLXY and mDOT as collateral. The attacker can no longer use his ill-gotten endowment to drain the rest of the pools. Great job <a href=\"https:\/\/twitter.com\/mirror_protocol?ref_src=twsrc%5Etfw\">@mirror_protocol<\/a> \u2014 thank you! <a href=\"https:\/\/t.co\/o64SVIRBmZ\">https:\/\/t.co\/o64SVIRBmZ<\/a><\/p>\n<p>\u2014 FatMan (@FatManTerra) <a href=\"https:\/\/twitter.com\/FatManTerra\/status\/1531549670740267009?ref_src=twsrc%5Etfw\">May 31, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Earlier in May, FatMan suspected Terraform Labs CEO Do Kwon and venture capitalists of manipulating Mirror Protocol.<\/p>\n<p><a href=\"https:\/\/www.youtube.com\/channel\/UCC9FnXTC8_ENzaNSO5cHQ6g\" target=\"_blank\" rel=\"nofollow noopener\">YouTube<\/a> &#8211; Subscribe to ForkLog&#8217;s channel!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Terra-based DeFi protocol Mirror was exploited for more than $90 million. It was discovered by analyst FatMan and confirmed by BlockSec, a cybersecurity firm.<\/p>\n","protected":false},"author":1,"featured_media":62261,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1093,852],"class_list":["post-62260","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-defi","tag-terra"],"aioseo_notices":[],"amp_enabled":true,"views":"37","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/62260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=62260"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/62260\/revisions"}],"predecessor-version":[{"id":62262,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/62260\/revisions\/62262"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/62261"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=62260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=62260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=62260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}